a  `)g@sddlmZmZmZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z ddlmZmZmZmZmZddlmZmZddlmZdd lmZed d d ZGd d d eZddZddZddZ GdddeZ!d6ddZ"d7ddZ#d8ddZ$d9ddZ%d:ddZ&d;d d!Z'Gd"d#d#eZ(e )ej*Gd$d%d%e+Z,e )ej*Gd&d'd'e+Z-e )ej*Gd(d)d)e+Z.e )ej*Gd*d+d+e+Z/Gd,d-d-e+Z0Gd.d/d/e+Z1Gd0d1d1e+Z2Gd2d3d3e+Z3d4d5Z4dS)<)absolute_importdivisionprint_functionN)Enum)utils) _get_backend)dsaeced25519ed448rsa) Extension ExtensionType)Name)ObjectIdentifiericseZdZfddZZS)AttributeNotFoundcstt||||_dSN)superr__init__oid)selfmsgr __class__8/usr/lib/python3/dist-packages/cryptography/x509/base.pyr szAttributeNotFound.__init____name__ __module__ __qualname__r __classcell__rrrrrsrcCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError) extension extensionserrr_reject_duplicate_extension%s r&cCs"|D]\}}||krtdqdS)Nz$This attribute has already been set.)r")r attributesZattr_oid_rrr_reject_duplicate_attribute,s r)cCs:|jdur2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r*Z utcoffsetdatetimeZ timedeltareplace)timeoffsetrrr_convert_to_naive_utc_time3s  r/c@seZdZdZdZdS)VersionrN)rrr Zv1v3rrrrr0Asr0cCst|}||Sr)rload_pem_x509_certificatedatabackendrrrr3Fsr3cCst|}||Sr)rload_der_x509_certificater4rrrr7Ksr7cCst|}||Sr)rload_pem_x509_csrr4rrrr8Psr8cCst|}||Sr)rload_der_x509_csrr4rrrr9Usr9cCst|}||Sr)rload_pem_x509_crlr4rrrr:Zsr:cCst|}||Sr)rload_der_x509_crlr4rrrr;_sr;cseZdZfddZZS)InvalidVersioncstt||||_dSr)rr<rparsed_version)rrr=rrrreszInvalidVersion.__init__rrrrrr<dsr<c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$ CertificatecCsdSz4 Returns bytes using digest passed. Nrr algorithmrrr fingerprintlszCertificate.fingerprintcCsdS)z3 Returns certificate serial number Nrrrrr serial_numberrszCertificate.serial_numbercCsdS)z1 Returns the certificate version NrrCrrrversionxszCertificate.versioncCsdSz( Returns the public key NrrCrrr public_key~szCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) NrrCrrrnot_valid_beforeszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) NrrCrrrnot_valid_afterszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. NrrCrrrissuerszCertificate.issuercCsdSz2 Returns the subject name object. NrrCrrrsubjectszCertificate.subjectcCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrrCrrrsignature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. NrrCrrrsignature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. NrrCrrrr$szCertificate.extensionscCsdSz. Returns the signature bytes. NrrCrrr signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrrCrrrtbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdSz" Checks equality. Nrrotherrrr__eq__szCertificate.__eq__cCsdSz# Checks not equal. NrrUrrr__ne__szCertificate.__ne__cCsdSz" Computes a hash. NrrCrrr__hash__szCertificate.__hash__cCsdS)zB Serializes the certificate to PEM or DER format. Nrrencodingrrr public_bytesszCertificate.public_bytesN)rrr abcabstractmethodrBabstractpropertyrDrErGrHrIrJrLrNrPr$rRrSrWrYr[r^rrrrr>jsD                r>c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$CertificateRevocationListcCsdS)z: Serializes the CRL to PEM or DER format. Nrr\rrrr^sz&CertificateRevocationList.public_bytescCsdSr?rr@rrrrBsz%CertificateRevocationList.fingerprintcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)rrDrrr(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCsdSrMrrCrrrrNsz2CertificateRevocationList.signature_hash_algorithmcCsdSrOrrCrrrrPsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. NrrCrrrrJsz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. NrrCrrr next_updatesz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. NrrCrrr last_updatesz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. NrrCrrrr$sz$CertificateRevocationList.extensionscCsdSrQrrCrrrrRsz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrrCrrrtbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytescCsdSrTrrUrrrrWsz CertificateRevocationList.__eq__cCsdSrXrrUrrrrY sz CertificateRevocationList.__ne__cCsdS)z< Number of revoked certificates in the CRL. NrrCrrr__len__&sz!CertificateRevocationList.__len__cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr)ridxrrr __getitem__,sz%CertificateRevocationList.__getitem__cCsdS)z8 Iterator over the revoked certificates NrrCrrr__iter__2sz"CertificateRevocationList.__iter__cCsdS)zQ Verifies signature of revocation list against given public key. Nr)rrGrrris_signature_valid8sz,CertificateRevocationList.is_signature_validN)rrr r_r`r^rBrcrarNrPrJrdrer$rRrfrWrYrgrirjrkrrrrrbsD                rbc@seZdZejddZejddZejddZejddZej d d Z ej d d Z ej d dZ ej ddZ ejddZej ddZej ddZej ddZej ddZdS)CertificateSigningRequestcCsdSrTrrUrrrrWAsz CertificateSigningRequest.__eq__cCsdSrXrrUrrrrYGsz CertificateSigningRequest.__ne__cCsdSrZrrCrrrr[Msz"CertificateSigningRequest.__hash__cCsdSrFrrCrrrrGSsz$CertificateSigningRequest.public_keycCsdSrKrrCrrrrLYsz!CertificateSigningRequest.subjectcCsdSrMrrCrrrrN_sz2CertificateSigningRequest.signature_hash_algorithmcCsdSrOrrCrrrrPfsz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. NrrCrrrr$lsz$CertificateSigningRequest.extensionscCsdS)z; Encodes the request to PEM or DER format. Nrr\rrrr^rsz&CertificateSigningRequest.public_bytescCsdSrQrrCrrrrRxsz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrrCrrrtbs_certrequest_bytes~sz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. NrrCrrrrksz,CertificateSigningRequest.is_signature_validcCsdS)z: Get the attribute value for a given OID. NrrCrrrget_attribute_for_oidsz/CertificateSigningRequest.get_attribute_for_oidN)rrr r_r`rWrYr[rGrarLrNrPr$r^rRrmrkrnrrrrrl?s4            rlc@s6eZdZejddZejddZejddZdS)RevokedCertificatecCsdS)zG Returns the serial number of the revoked certificate. NrrCrrrrDsz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. NrrCrrrrevocation_datesz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. NrrCrrrr$szRevokedCertificate.extensionsN)rrr r_rarDrpr$rrrrros   roc@s>eZdZdggfddZddZddZdd Zd d d ZdS) CertificateSigningRequestBuilderNcCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions _attributes)r subject_namer$r'rrrrsz)CertificateSigningRequestBuilder.__init__cCs4t|tstd|jdur$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.) isinstancer TypeErrorrrr"rqrsrtrnamerrrrus   z-CertificateSigningRequestBuilder.subject_namecCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rxrryr rr&rsrqrrrtrr#Zcriticalrrr add_extensions   z.CertificateSigningRequestBuilder.add_extensioncCsLt|tstdt|ts$tdt||jt|j|j|j||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytes) rxrrybytesr)rtrqrrrs)rrvaluerrr add_attributes   z.CertificateSigningRequestBuilder.add_attributecCs(t|}|jdurtd||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rrrr"Zcreate_x509_csrrZ private_keyrAr6rrrsigns z%CertificateSigningRequestBuilder.sign)N)rrr rrur~rrrrrrrqs  rqc@sfeZdZddddddgfddZddZddZdd Zd d Zd d ZddZ ddZ dddZ dS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dSr) r0r2Z_version _issuer_namerr _public_key_serial_number_not_valid_before_not_valid_afterrs)r issuer_namerurGrDrHrIr$rrrrs zCertificateBuilder.__init__cCsDt|tstd|jdur$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rvN%The issuer name may only be set once.) rxrryrr"rrrrrrrrsrzrrrrs  zCertificateBuilder.issuer_namecCsDt|tstd|jdur$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rvNrw) rxrryrrr"rrrrrrrsrzrrrrus  zCertificateBuilder.subject_namecCsXt|tjtjtjtjt j fs&t d|j dur8t dt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)rxrZ DSAPublicKeyr Z RSAPublicKeyr ZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyryrr"rrrrrrrrs)rkeyrrrrG s.  zCertificateBuilder.public_keycCsjt|tjstd|jdur&td|dkr6td|dkrJtdt|j|j |j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.)rxsix integer_typesryrr" bit_lengthrrrrrrrrsrZnumberrrrrD?s&   z CertificateBuilder.serial_numbercCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rxr+ryrr"r/_EARLIEST_UTC_TIMErrrrrrrrsrr-rrrrHZs,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdurPtd|jdurbtd|jdurttd||||S)zC Signs the certificate using the CA's private key. Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key) rrrr"rrrrrZcreate_x509_certificaterrrrrs      zCertificateBuilder.sign)N) rrr rrrurGrDrHrIr~rrrrrrs   rc@sReZdZdddggfddZddZddZdd Zd d Zd d ZdddZ dS) CertificateRevocationListBuilderNcCs"||_||_||_||_||_dSr)r _last_update _next_updaters_revoked_certificates)rrrerdr$Zrevoked_certificatesrrrrs z)CertificateRevocationListBuilder.__init__cCs<t|tstd|jdur$tdt||j|j|j|j S)Nrvr) rxrryrr"rrrrsr)rrrrrrs  z,CertificateRevocationListBuilder.issuer_namecCsrt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rxr+ryrr"r/rrrrrsr)rrerrrres(  z,CertificateRevocationListBuilder.last_updatecCsrt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rxr+ryrr"r/rrrrrsr)rrdrrrrds(  z,CertificateRevocationListBuilder.next_updatecCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. r|) rxrryr rr&rsrrrrrr}rrrr~ s   z.CertificateRevocationListBuilder.add_extensioncCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rxroryrrrrrsr)rZrevoked_certificaterrradd_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatecCsLt|}|jdurtd|jdur,td|jdur>td||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rrr"rrZcreate_x509_crlrrrrr-s   z%CertificateRevocationListBuilder.sign)N) rrr rrrerdr~rrrrrrrs  rc@s>eZdZddgfddZddZddZdd Zd d d ZdS) RevokedCertificateBuilderNcCs||_||_||_dSr)r_revocation_daters)rrDrpr$rrrr<sz"RevokedCertificateBuilder.__init__cCsZt|tjstd|jdur&td|dkr6td|dkrJtdt||j|j S)Nrrrz$The serial number should be positiverr) rxrrryrr"rrrrsrrrrrDCs    z'RevokedCertificateBuilder.serial_numbercCsNt|tjstd|jdur&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rxr+ryrr"r/rrrrsrrrrrpUs   z)RevokedCertificateBuilder.revocation_datecCsDt|tstdt|j||}t||jt|j|j |j|gS)Nr|) rxrryr rr&rsrrrr}rrrr~cs   z'RevokedCertificateBuilder.add_extensioncCs6t|}|jdurtd|jdur,td||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rrr"rZcreate_x509_revoked_certificate)rr6rrrbuildos  zRevokedCertificateBuilder.build)N)rrr rrDrpr~rrrrrr;s   rcCsttddd?S)NZbigr)rZint_from_bytesosurandomrrrrrandom_serial_number{sr)N)N)N)N)N)N)5Z __future__rrrr_r+renumrrZ cryptographyrZcryptography.hazmat.backendsrZ)cryptography.hazmat.primitives.asymmetricrr r r r Zcryptography.x509.extensionsr rZcryptography.x509.namerZcryptography.x509.oidrr Exceptionrr&r)r/r0r3r7r8r9r:r;r<Z add_metaclassABCMetaobjectr>rbrlrorqrrrrrrrrsL            i j R A^v@